Diffed the filesystem against an official ZIP of WordPress 3.1.3 and removed or overwrote anything that did not match.

I am quite sure that

all the files on disk are official WordPress 3.1.3 files

there are no "extra" files on disk other than my one /theme, the Exploit Scanner plugin (which I just downloaded), the /uploads folder, and a tiny handful of other expected files. My other plugin, wp-recaptcha, matches the current official downloaded version.

I also checked the .htaccess file and nothing looks wrong there

I did not touch the database, but I am struggling to think how anything in the database could be malicious without special PHP code to make it work?

My WordPress blog appears OK and hack-free now (I think), but is there anything else I should check?

sorry, neglected to mention -- I changed WordPress passwords of course. Updated post and checked off on the list here! I can't think of any way they could have my hosting password, or the FTP password, just by getting into WordPress; that information is nowhere in the filesystem or database.
–
Jeff Atwood♦Jun 10 '11 at 16:18

@Jeff some server-level exploits you have no control over (aside from finding a better host). But just because you haven't used host/FTP credentials doesn't mean that someone hasn't stolen them, by gaining access to your hosting account.
–
Chip BennettJun 10 '11 at 16:36

7

There is a very common exploit making the rounds where malware infects your workstation (or the workstation of a contractor), digs through your saved passwords in your favorite FTP (or FTP-enabled) program, and sends those to the attacker, who then compromises your site and uses it to spread the same malware to other webmasters. That is one common way in which your FTP password gets stolen. What's particularly insidious is that its spread through normal sites like yours, not the seedy ones where you're likely to be careful.
–
tylerlJun 10 '11 at 17:09

Looking at the Google Chrome "safe browsing" message, you're getting the ".cc iFrame hack" that seems to be going around a LOT lately. I think 3.1.3 will fix this, but check your index.php file in the root if your site, that's where it kept hitting me until I got EVERYTHING updated and passwords changed.

There is some VERY tricky stuff folks can do with post and comment injections. You can run the following queries against your database to help find some of them I blogged the rest of my "tracking" here.

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<?%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<?php%'

SELECT * FROM wp_comments WHERE comment_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%display:%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<?%'
UNION
SELECT * FROM wp_comments WHERE comment_content LIKE '%<?php%'

I would add SELECT * FROM wp_* WHERE comment_content LIKE '%<?%' and SELECT * FROM wp_* WHERE comment_content LIKE '%<?php%' just to be sure...
–
SeanJAJun 10 '11 at 16:04

4

Oh, one final note. I'm assuming you have Google Webmaster tools tied in to this domain. Once you get things cleaned up you can submit a request from your webmaster tools account to have Google rescan the site and remove the warning message. They process requests from webmaster tools typically within a day. Otherwise you get on the "naughty list" for a good 90 days.
–
Dillie-OJun 10 '11 at 16:06

Found a bunch of results but it's because of embedded iframes for Vimeo.
–
tooshelJun 10 '11 at 16:19

Oh, and try to understand how the attacker found his way into your site. On shared accounts it is often the whole server. Check the other sites on the server for hacked blogs or other pages too. Read your FTP log. If you don’t know how it happened you cannot prevent the next break.

@Jeff Atwood I wouldn’t rely on that. Your user table is not that big. You can easily read it without any plugin.
–
toscho♦Jun 10 '11 at 15:55

I checked the wp_users table and only 2 rows, both expected.. nothing in the /upload folder unusual (just gifs and pngs and jpegs)
–
Jeff Atwood♦Jun 10 '11 at 16:00

@Jeff Atwood Did you look into the files or just at the extensions? Are all those files listed in the media library?
–
toscho♦Jun 10 '11 at 16:02

4

Image files are a fairly common payload delivery method. See here, and the Theme Review Team has also run into Themes using a similar TIFF exploit.) So, yeah: I'd check each one, to ensure it's part of the Media Library. (Easy high-level scan: check for images that don't have thumbnail-sizes defined.)
–
Chip BennettJun 10 '11 at 16:16

verify that your site hasn't been flagged as compromised, and request reconsideration if it has

check your site as Googlebot and verify that there's no spam being inserted which is only visible to Googlebot - example of this is the WP Pharma hack

Also, I'd re-implement the theme, or check it extremely carefully. A few lines of PHP can redefine core PHP functions so that they extract malicious code from the database, especially the wp_options key / value store tables

"is there anything else I should check?"
You need to examine your process, and find out how you were hacked (almost certainly because you didn't patch in time, or correctly) and fix that too, not just the symptoms.

I doubt it had to do with not updating WordPress (although it is possible, it's just not probable). WordPress itself is almost never the exploit vector. The usual vectors are insecure host configuration, and stolen FTP credentials.
–
Chip BennettJun 10 '11 at 16:03

There was malicious scripts in the filesystem (php base64_decode stuff). However, the database 'posts' & 'comments' tables had been compromised and the iframe code was scattered through that data as well.

I use a cloud server and have random wacky ssh port numbers no ftp at all. Passwords are extremely difficult to hack. All root access is completely denied. I agree that WordPress is not going to be your culprit. Another thing to check for is ftp sessions not closing, virus on your personal computer(remember you can up load a file to your site and who ever loads that file can get the same virus), also dont keep your passwords on public sites or private sites always right them down on paper never on a word document or notepad.

Lastly ask your host if they recently had a breach as they should have a firewall setup